US20130166981A1 - Apparatus and security system for data loss prevention, and operating method of data loss prevention apparatus - Google Patents
Apparatus and security system for data loss prevention, and operating method of data loss prevention apparatus Download PDFInfo
- Publication number
- US20130166981A1 US20130166981A1 US13/362,838 US201213362838A US2013166981A1 US 20130166981 A1 US20130166981 A1 US 20130166981A1 US 201213362838 A US201213362838 A US 201213362838A US 2013166981 A1 US2013166981 A1 US 2013166981A1
- Authority
- US
- United States
- Prior art keywords
- instance
- line
- packets
- processing
- mirroring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
- H04L41/0668—Management of faults, events, alarms or notifications using network fault recovery by dynamic selection of recovery network elements, e.g. replacement by the most appropriate element after failure
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L1/00—Arrangements for detecting or preventing errors in the information received
- H04L1/08—Arrangements for detecting or preventing errors in the information received by repeating transmission, e.g. Verdan system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/22—Arrangements for preventing the taking of data from a data transmission channel without authorisation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/028—Capturing of monitoring data by filtering
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/20—Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
- G06F11/2002—Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where interconnections or communication control functionality are redundant
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/20—Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
- G06F11/2097—Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements maintaining the standby controller/processing unit updated
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/54—Store-and-forward switching systems
- H04L12/56—Packet switching systems
- H04L12/5601—Transfer mode dependent, e.g. ATM
- H04L2012/5603—Access techniques
Definitions
- the present invention relates to a high-performance package security system, and more particularly, to a DLP security system capable of processing and filtering a packet in an in-line method or a mirroring method and an operating method thereof.
- a content-aware data loss prevention (DLP) security system prevents an accident by interrupting or leaving a log when a user accesses customer's personal confidential information, an in-company confidential material, and the like through an e-mail, a messenger, a P2P, or the like.
- DLP data loss prevention
- the DLP security system may perform content and protocol based information leakage prevent on and malignant activity interrupt on functions such as blocking accessing to unsound sites or leaving log information when the user accesses the Internet.
- the DLP security system in the related art is determined and operated in a specific network matching method between an in-line method and a mirroring method during initial installation. Specifically, the DLP security system using the in-line method in the related art is installed directly on a network line to interrupt a bidirectional packet in real time or leave the log. The DLP security system using the mirroring method in the related art collects a packet receiving the bidirectional packet through a TAP without influencing an original traffic installing the TAP on the network line.
- the DLP security system using the in-line method in the related art is linked with an additional fail over device (F.O.D) system against a network fail in which an Internet line is interrupted and the Internet is disconnected when a system fail occurs to continuously provide a service among existing networks through an F.O.D even though a system fail occurs, thereby making it possible to assure network availability.
- F.O.D fail over device
- the DLP security system in the related art cannot but abandon logging and interrupting functions of personal information leakage packets during replacing or restoring the system.
- the DLP security system using the mirroring method in the related art does not influence an original network at all even when the system is broken, but there is a problem in that a real-time interruption rate is deteriorated according to an Internet protocol or network components. Further, the DLP security system of the mirroring method in the related art cannot but abandon logging and interrupting functions of packets during replacing or restoring the system.
- An exemplary embodiment of the present invention provides a DLP apparatus, including: an Ethernet signal matching unit converting Ethernet signals received from a fail over device that are transmitted and received between an external network and an internal network; a packet processing unit classifying the packets into first packets required to be precisely judged and packets not required to be precisely judged and transferring the second packets to the fail over device to transmit the corresponding packets to an original destination; multi instance software operating a plurality of processing instances judging whether the first packets are final packets requiring log storing or session interruption by a predetermined judgment algorithm; a multi instance matching unit allocating a judgment job of the first packets to the plurality of processing instances according to a predetermined reference; and a management instance software verifying whether there is a processing instance which is normally operated among the plurality of processing instances when a fail occurs in at least one of the plurality of processing instances and command the multi instance matching unit to allocate the judgment job which is allocated to the processing instance in which the fail occurs to the processing instance which is normally operated when there is the processing instance which is normally
- Another exemplary embodiment of the present invention provides a DLP security system, including: a fail over device exchanging Ethernet signals transmitted and received between an external network and an internal network in an in-line method or a mirroring method; and a DLP apparatus including a processing instance judging whether log storing or interruption is required with respect to packets corresponding to the Ethernet signals and performing processing corresponding to a result of the judging, receiving the Ethernet signals in the in-line method from the fail over device controlling the fail over device in the in-line method when the processing instance is normally operated, and receiving the Ethernet signals in the mirroring method from the fail over device controlling the fail over device in the mirroring method when a fail occurs in the processing instance.
- Yet another exemplary embodiment of the present invention provides an operating method of a DLP apparatus, including: converting, into packets, Ethernet signals received from a fail over device that are transmitted and received between an external network and an internal network; analyzing the packets to classify the packets into first packets required to be precisely judged and second packets not required to be precisely judged; distributing and allocating a judgment job about the first packet to at least one in-line instance according to a predetermined reference; and allocating the judgment job distributed to the in-line instance in which a fail occurs to the in-line instance which is normally operated when it is verified whether there is the in-line instance which is normally operated in the case where the fail occurs in the at least one in-line instance.
- FIG. 1 is a configuration diagram showing a content-aware DLP security system according to an exemplary embodiment of the present invention.
- FIG. 2A is a flowchart showing an operating method of a DLP apparatus according to an exemplary embodiment of the present invention.
- FIG. 2B is a diagram showing a fail over device set by a mirroring method according to an exemplary embodiment of the present invention.
- FIG. 3A is a diagram showing a duplication mode according to an exemplary embodiment of the present invention.
- FIG. 3B is a diagram showing a load balancing mode according to an exemplary embodiment of the present invention.
- FIG. 3C is a diagram showing a dual mode according to an exemplary embodiment of the present invention.
- FIG. 1 is a configuration diagram showing a content-aware DLP security system according to an exemplary embodiment of the present invention.
- the content-aware DLP security system 12 includes a fail over device (F.O.D) 200 and a DLP apparatus 100 .
- F.O.D fail over device
- the F.O.D 200 transmits an Ethernet signal between an external network and an internal network to the DLP apparatus 100 by an in-line method or a mirroring method according to a control of the DLP apparatus 100 .
- the F.O.D 200 transfers input/output packets of bidirectional (inbound and outbound) traffic to the DLP apparatus 100 operating in an in-line method during a normal operation, or receives the input/output packets from the DLP apparatus 100 to transmit the corresponding input/output packets to a destination.
- the network traffics between the external network and the internal network are divided into the in-bound traffics transferred from ⁇ circle around ( ⁇ ) ⁇ to ⁇ circle around ( ⁇ ) ⁇ ′ and out-bound traffics transferred from ⁇ circle around ( 2 ) ⁇ to ⁇ circle around ( 2 ) ⁇ ′.
- the F.O.D 200 primarily transfers all of the bidirectional network traffics to the DLP apparatus 100 and the DLP apparatus 100 packet-processes the traffics and thereafter, the F.O.D 200 receives packets judged that precise judgment is not required again to transmit the received packets to an original destination network.
- the F.O.D 200 is switched to the mirroring method when the fail of the DLP apparatus 100 occurs and mirrors the Ethernet signal between the external network and the internal network in the mirroring method using a TAP as a network switch to transmit the mirrored Ethernet signal to the DLP apparatus 100 .
- the DLP apparatus 100 includes a network state controlling unit 130 , an Ethernet signal matching unit 110 , a packet processing unit 120 , a multi instance matching unit 140 , and multi instance software 150 .
- the Ethernet signal matching unit 110 and the packet processing unit 120 may be included in PCI-e type packet processing card 110 and 120 .
- the PCI-e type packet processing card 110 and 120 and the multi instance matching unit 140 are provided in one main board and the multi instance software 150 and management instance software 160 may be executed in the corresponding board.
- the network state controlling unit 130 transfers a control command to the F.O.D 200 to control a network matching method of the F.O.D 200 by the in-line method or mirroring method.
- the network state controlling unit 130 may switch the network matching method according to a control of the management instance software 160 .
- the Ethernet signal matching unit 110 includes two Ethernet ports that transmit and receive the bidirectional network traffics, respectively and converts the Ethernet signals inputted into and outputted from the two Ethernet ports into packet types to transfer the converted packets to the packet processing unit 120 .
- the packet processing unit 120 analyzes, filters, pattern-matches or session-manages the inputted/outputted packets to filter effective packets required to be precisely judged.
- the packet processing unit 120 may be a multi core processor or multi core logic.
- the packet processing unit 120 analyzes the inputted/outputted packets, verifies information on the packets, filters the packets, pattern-matches the packets, or session-manages the packets depending on their own purposes, and transfers the effective packets required to be precisely judged for interruption or logging to the multi instance software 150 through the multi instance matching unit 140 and retransmits other packets which may be passed to the F.O.D 200 to transmit the corresponding packets to an original destination network.
- the multi instance matching unit 140 may allocate a judgment job of the effective packets received from the packet processing unit 120 to the multi instance software 150 in various methods.
- the multi instance matching unit 140 may allocate the same judgment job to each in-line instance to perform the same judgment job, distribute and allocate the judgment job based on the traffics so as to allocate substantially the same traffics to each in-line instance, and transfer effective packet of corresponding protocols to the in-line instances that take charge of different protocols to allocate the judgment job based on the protocol of the effective packet.
- the management instance software 160 may verify the traffic (processing load), an operational state of each in-line instance, or the like, notify occurrence of an error to the multi instance matching unit 140 when the error occurs in the in-line instance, and control the network matching method of the F.O.D 200 according to the operational state (the occurrence of the fail or not) of the in-line instance.
- the management instance software 160 may control the F.O.D 200 in the in-line method through the network state controlling unit 130 when the in-line instance is normally operated and control the F.O.D 200 in the mirroring method when the fail occurs in all the in-line instances.
- the multi instance software 150 as software operating a plurality of instances is mounted with a judgment algorithm, a logging function, and an interruption function.
- Each in-line instance and each mirroring instance judge whether the effective packets received from the multi instance matching unit 140 are packets (final effective packets) harmful or confidential information, according to the judgment algorithm and when each in-line instance and each mirroring instance judge that the effective packets are the final effective packets, each in-line instance and each mirroring instance interrupt a session corresponding to the final effective packet or store a log for the final effective packet according to a predetermined policy corresponding to the type.
- the in-line instance when the in-line instance is allocated with the judgment job for the effective packet, the in-line instance performs the corresponding judgment job in real time and processes the judgment job in the in-line method in which other processing of the corresponding effective packet cannot be performed until the judgment job of the corresponding effective packet ends. Therefore, the in-line instance generally processes a small quantity of traffics.
- the mirroring instance Since the mirroring instance performs post-processing of the effective packet while being allocated with the judgment job of the effective packet, the mirroring instance processes the judgment job in the mirroring method which does not influence even other processing of the corresponding effective packet even though the judgment job of the corresponding effective packet does not end. Therefore, the mirroring instance generally processes a large quantity of traffics.
- the DLP apparatus of FIG. 1 includes total n-1 in-line instances and one mirroring instance as an example, but the DLP apparatus may include a plurality of instances constituted by in-line instances and mirroring instances half and half and may be configured to include only a plurality of in-line instances or only a plurality of mirroring instances.
- FIG. 2A is a flowchart showing an operating method of a DLP apparatus according to an exemplary embodiment of the present invention
- FIG. 2B is a diagram showing a fail over device set by a mirroring method according to an exemplary embodiment of the present invention.
- the management instance software 160 verifies whether the fail occurs in the in-line instance (S 210 ).
- the management instance software 160 verifies whether the fail occurs in all the in-line instances when the fail occurs in the in-line instance (S 220 ).
- the management instance software 160 processes the corresponding judgment job by other in-line instance or mirroring instance controlling the multi instance matching unit 140 so as to distribute the judgment job of the effective packet allocated to the in-line instance in which the fail occurs to other in-line instance or mirroring instance when the fail does not occur in all the in-line instance (S 260 ).
- the management instance software 160 switches the F.O.D 200 to the mirroring method through the network state controlling unit 130 when the fail occurs in all the in-line instances (S 230 ). Therefore, the F.O.D 200 may continuously perform the judgment job of the effective packet by the mirroring instance while continuously collecting the effective packet mirroring the network traffic to the DLP apparatus 100 and bypassing the network traffic connecting the network traffics of ⁇ circle around ( ⁇ ) ⁇ and ⁇ circle around ( ⁇ ) ⁇ ′ and ⁇ circle around ( 2 ) ⁇ and ⁇ circle around ( 2 ) ⁇ ′ by the TAP, as shown in FIG. 2B .
- the management instance software 160 verifies whether the in-line instance is restored while continuously performing the judgment job by the mirroring instance (S 240 ).
- the management instance software 160 switches the F.O.D 200 to the in-line method through the network state controlling unit 130 when the in-line instance is restored (S 250 ). Then, the F.O.D 200 is switched to the in-line method again to transfer the network traffics by the in-line method and the multi instance software 150 may normally in-line process the packets.
- the DLP security system including the plurality of in-line instances and at least one mirroring instance is described as an example in FIGS. 2A and 2B , but the DLP security system may include only the in-line instance or only the mirroring instance.
- the DLP security system including only the in-line instance allocates the judgment job allocated to the in-line instance in which the fail occurs to the in-line instance which is normally operated when even one in-line instance is normally operated.
- the DLP security system including only the mirroring instance allocates the judgment job allocated to the mirroring instance in which the fail occurs to the mirroring instance which is normally operated when even one mirroring instance is normally operated.
- FIGS. 3A to 3C a packet processing method of a DLP apparatus according to an exemplary embodiment of the present invention will be described with reference to FIGS. 3A to 3C .
- FIG. 3A is a diagram showing a duplication mode according to an exemplary embodiment of the present invention
- FIG. 3B is a diagram showing a load balancing mode according to an exemplary embodiment of the present invention
- FIG. 3C is a diagram showing a dual mode according to an exemplary embodiment of the present invention.
- FIGS. 3A and 3B show a DLP apparatus including two in-line instances as an example
- FIG. 3C show a DLP apparatus including one in-line instance and one mirroring instance as an example.
- the multi instance matching unit 140 transmits the same in-line packet to two in-line instances and each in-line instance receives the in-line packet through a channel occupied by each in-line instance.
- the other in-line instance may perform the judgment job, and interruption and logging functions with respect to the corresponding packet, and as a result, an reallocation of the judgment job need not when the hindrance occurs.
- the multi instance matching unit 140 distributes and allocates the judgment job of the effective packet to each in-line instance through load balancing.
- the multi instance matching unit 140 may divide and allocate the judgment job of the effective packet substantially by halves based on the traffic and may distinguish the protocol of the effective packet to distribute and allocate the distinguished protocol to the in-line instance that takes charge of processing each protocol.
- FIG. 3B when one in-line instance is not normally operated due to the fail, all the packets which are transmitted to the broken in-line instance are transmitted to the other in-line instance which is normally operated, and as a result, high availability can be assured by the other in-line instance.
- the multi instance matching unit 140 transmits the effective packet to be processed by in-line method based on the protocol to the in-line instance and transmits the other effective packet to the mirroring instance.
- the in-line instance is broken, all the effective packets are mirrored to the mirroring instance which is normally operated to assure high availability by the mirroring instance.
- the DLP apparatus includes two in-line instances as an example, but even though the DLP apparatus includes only the mirroring instance without the in-line instance, the DLP apparatus may perform the same function.
- an optimized service can be provided for each protocol by a fail restoring device providing an in-line method, a mirroring method, or an in-line/mirroring dual method according to software set-up, efficiency of network operating/maintenance can be improved, effectiveness of an implementation/maintenance cost can also be improved, and high availability of a network can be assured.
- the implementation cost can be reduced according to ensuring high availability by multi instance software and one DLP-exclusive hardware in one system without providing a plurality of systems or a plurality of packet processing boards like the related art.
- One instance software is driven per channel by driving multi-instances in one system, and as a result, another instance processes corresponding packets even though a fail occurs in one instance to assure availability of the network itself, and high availability and high reliability of a DLP function. Accordingly, the present invention can be more efficient to a recent network environment in which most of the causes of the fail are not hardware factors but software factors such as excessive traffics or the use of excessive resources.
Abstract
Description
- This application claims priority under 35 U.S.C. §119 to Korean Patent Application No. 10-2011-0140585, filed on Dec. 22, 2011, in the Korean Intellectual Property Office, the disclosure of which is incorporated herein by reference in its entirety.
- The present invention relates to a high-performance package security system, and more particularly, to a DLP security system capable of processing and filtering a packet in an in-line method or a mirroring method and an operating method thereof.
- In general, a content-aware data loss prevention (DLP) security system prevents an accident by interrupting or leaving a log when a user accesses customer's personal confidential information, an in-company confidential material, and the like through an e-mail, a messenger, a P2P, or the like.
- Moreover, the DLP security system may perform content and protocol based information leakage prevent on and malignant activity interrupt on functions such as blocking accessing to unsound sites or leaving log information when the user accesses the Internet.
- The DLP security system in the related art is determined and operated in a specific network matching method between an in-line method and a mirroring method during initial installation. Specifically, the DLP security system using the in-line method in the related art is installed directly on a network line to interrupt a bidirectional packet in real time or leave the log. The DLP security system using the mirroring method in the related art collects a packet receiving the bidirectional packet through a TAP without influencing an original traffic installing the TAP on the network line.
- The DLP security system using the in-line method in the related art is linked with an additional fail over device (F.O.D) system against a network fail in which an Internet line is interrupted and the Internet is disconnected when a system fail occurs to continuously provide a service among existing networks through an F.O.D even though a system fail occurs, thereby making it possible to assure network availability. However, the DLP security system in the related art cannot but abandon logging and interrupting functions of personal information leakage packets during replacing or restoring the system.
- The DLP security system using the mirroring method in the related art does not influence an original network at all even when the system is broken, but there is a problem in that a real-time interruption rate is deteriorated according to an Internet protocol or network components. Further, the DLP security system of the mirroring method in the related art cannot but abandon logging and interrupting functions of packets during replacing or restoring the system.
- An exemplary embodiment of the present invention provides a DLP apparatus, including: an Ethernet signal matching unit converting Ethernet signals received from a fail over device that are transmitted and received between an external network and an internal network; a packet processing unit classifying the packets into first packets required to be precisely judged and packets not required to be precisely judged and transferring the second packets to the fail over device to transmit the corresponding packets to an original destination; multi instance software operating a plurality of processing instances judging whether the first packets are final packets requiring log storing or session interruption by a predetermined judgment algorithm; a multi instance matching unit allocating a judgment job of the first packets to the plurality of processing instances according to a predetermined reference; and a management instance software verifying whether there is a processing instance which is normally operated among the plurality of processing instances when a fail occurs in at least one of the plurality of processing instances and command the multi instance matching unit to allocate the judgment job which is allocated to the processing instance in which the fail occurs to the processing instance which is normally operated when there is the processing instance which is normally operated.
- Another exemplary embodiment of the present invention provides a DLP security system, including: a fail over device exchanging Ethernet signals transmitted and received between an external network and an internal network in an in-line method or a mirroring method; and a DLP apparatus including a processing instance judging whether log storing or interruption is required with respect to packets corresponding to the Ethernet signals and performing processing corresponding to a result of the judging, receiving the Ethernet signals in the in-line method from the fail over device controlling the fail over device in the in-line method when the processing instance is normally operated, and receiving the Ethernet signals in the mirroring method from the fail over device controlling the fail over device in the mirroring method when a fail occurs in the processing instance.
- Yet another exemplary embodiment of the present invention provides an operating method of a DLP apparatus, including: converting, into packets, Ethernet signals received from a fail over device that are transmitted and received between an external network and an internal network; analyzing the packets to classify the packets into first packets required to be precisely judged and second packets not required to be precisely judged; distributing and allocating a judgment job about the first packet to at least one in-line instance according to a predetermined reference; and allocating the judgment job distributed to the in-line instance in which a fail occurs to the in-line instance which is normally operated when it is verified whether there is the in-line instance which is normally operated in the case where the fail occurs in the at least one in-line instance.
- Other features and aspects will be apparent from the following detailed description, the drawings, and the claims.
-
FIG. 1 is a configuration diagram showing a content-aware DLP security system according to an exemplary embodiment of the present invention. -
FIG. 2A is a flowchart showing an operating method of a DLP apparatus according to an exemplary embodiment of the present invention. -
FIG. 2B is a diagram showing a fail over device set by a mirroring method according to an exemplary embodiment of the present invention. -
FIG. 3A is a diagram showing a duplication mode according to an exemplary embodiment of the present invention. -
FIG. 3B is a diagram showing a load balancing mode according to an exemplary embodiment of the present invention. -
FIG. 3C is a diagram showing a dual mode according to an exemplary embodiment of the present invention. - Hereinafter, exemplary embodiments will be described in detail with reference to the accompanying drawings. Throughout the drawings and the detailed description, unless otherwise described, the same drawing reference numerals will be understood to refer to the same elements, features, and structures. The relative size and depiction of these elements may be exaggerated for clarity, illustration, and convenience. The following detailed description is provided to assist the reader in gaining a comprehensive understanding of the methods, apparatuses, and/or systems described herein. Accordingly, various changes, modifications, and equivalents of the methods, apparatuses, and/or systems described herein will be suggested to those of ordinary skill in the art. Also, descriptions of well-known functions and constructions may be omitted for increased clarity and conciseness.
- Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings.
FIG. 1 is a configuration diagram showing a content-aware DLP security system according to an exemplary embodiment of the present invention. - As shown in
FIG. 1 , the content-awareDLP security system 12 includes a fail over device (F.O.D) 200 and aDLP apparatus 100. - The F.O.D 200 transmits an Ethernet signal between an external network and an internal network to the
DLP apparatus 100 by an in-line method or a mirroring method according to a control of theDLP apparatus 100. - The F.O.D 200 transfers input/output packets of bidirectional (inbound and outbound) traffic to the
DLP apparatus 100 operating in an in-line method during a normal operation, or receives the input/output packets from theDLP apparatus 100 to transmit the corresponding input/output packets to a destination. - Specifically, the network traffics between the external network and the internal network are divided into the in-bound traffics transferred from {circle around (┐)} to {circle around (┐)}′ and out-bound traffics transferred from {circle around (2)} to {circle around (2)}′. The F.O.D 200 primarily transfers all of the bidirectional network traffics to the
DLP apparatus 100 and theDLP apparatus 100 packet-processes the traffics and thereafter, the F.O.D 200 receives packets judged that precise judgment is not required again to transmit the received packets to an original destination network. - Meanwhile, the F.O.D 200 is switched to the mirroring method when the fail of the
DLP apparatus 100 occurs and mirrors the Ethernet signal between the external network and the internal network in the mirroring method using a TAP as a network switch to transmit the mirrored Ethernet signal to theDLP apparatus 100. - The
DLP apparatus 100 includes a networkstate controlling unit 130, an Ethernetsignal matching unit 110, a packet processing unit 120, a multiinstance matching unit 140, andmulti instance software 150. In this case, the Ethernetsignal matching unit 110 and the packet processing unit 120 may be included in PCI-e typepacket processing card 110 and 120. In addition, the PCI-e typepacket processing card 110 and 120 and the multiinstance matching unit 140 are provided in one main board and themulti instance software 150 andmanagement instance software 160 may be executed in the corresponding board. - The network
state controlling unit 130 transfers a control command to the F.O.D 200 to control a network matching method of the F.O.D 200 by the in-line method or mirroring method. In this case, the networkstate controlling unit 130 may switch the network matching method according to a control of themanagement instance software 160. - The Ethernet
signal matching unit 110 includes two Ethernet ports that transmit and receive the bidirectional network traffics, respectively and converts the Ethernet signals inputted into and outputted from the two Ethernet ports into packet types to transfer the converted packets to the packet processing unit 120. - The packet processing unit 120 analyzes, filters, pattern-matches or session-manages the inputted/outputted packets to filter effective packets required to be precisely judged. In this case, the packet processing unit 120 may be a multi core processor or multi core logic.
- Specifically, the packet processing unit 120 analyzes the inputted/outputted packets, verifies information on the packets, filters the packets, pattern-matches the packets, or session-manages the packets depending on their own purposes, and transfers the effective packets required to be precisely judged for interruption or logging to the
multi instance software 150 through the multiinstance matching unit 140 and retransmits other packets which may be passed to the F.O.D 200 to transmit the corresponding packets to an original destination network. - The multi
instance matching unit 140 may allocate a judgment job of the effective packets received from the packet processing unit 120 to themulti instance software 150 in various methods. - For example, the multi
instance matching unit 140 may allocate the same judgment job to each in-line instance to perform the same judgment job, distribute and allocate the judgment job based on the traffics so as to allocate substantially the same traffics to each in-line instance, and transfer effective packet of corresponding protocols to the in-line instances that take charge of different protocols to allocate the judgment job based on the protocol of the effective packet. - The
management instance software 160 may verify the traffic (processing load), an operational state of each in-line instance, or the like, notify occurrence of an error to the multiinstance matching unit 140 when the error occurs in the in-line instance, and control the network matching method of the F.O.D 200 according to the operational state (the occurrence of the fail or not) of the in-line instance. - Specifically, the
management instance software 160 may control the F.O.D 200 in the in-line method through the networkstate controlling unit 130 when the in-line instance is normally operated and control the F.O.D 200 in the mirroring method when the fail occurs in all the in-line instances. - The
multi instance software 150 as software operating a plurality of instances is mounted with a judgment algorithm, a logging function, and an interruption function. - Each in-line instance and each mirroring instance judge whether the effective packets received from the multi
instance matching unit 140 are packets (final effective packets) harmful or confidential information, according to the judgment algorithm and when each in-line instance and each mirroring instance judge that the effective packets are the final effective packets, each in-line instance and each mirroring instance interrupt a session corresponding to the final effective packet or store a log for the final effective packet according to a predetermined policy corresponding to the type. - Meanwhile, when the in-line instance is allocated with the judgment job for the effective packet, the in-line instance performs the corresponding judgment job in real time and processes the judgment job in the in-line method in which other processing of the corresponding effective packet cannot be performed until the judgment job of the corresponding effective packet ends. Therefore, the in-line instance generally processes a small quantity of traffics.
- Since the mirroring instance performs post-processing of the effective packet while being allocated with the judgment job of the effective packet, the mirroring instance processes the judgment job in the mirroring method which does not influence even other processing of the corresponding effective packet even though the judgment job of the corresponding effective packet does not end. Therefore, the mirroring instance generally processes a large quantity of traffics.
- Meanwhile, the DLP apparatus of
FIG. 1 includes total n-1 in-line instances and one mirroring instance as an example, but the DLP apparatus may include a plurality of instances constituted by in-line instances and mirroring instances half and half and may be configured to include only a plurality of in-line instances or only a plurality of mirroring instances. - Referring to
FIGS. 2A and 2B , an operating method of the DLP apparatus according to an exemplary embodiment of the present invention when the fail occurs in the in-line instance in the DLP security system having the structure shown inFIG. 1 will be described.FIG. 2A is a flowchart showing an operating method of a DLP apparatus according to an exemplary embodiment of the present invention andFIG. 2B is a diagram showing a fail over device set by a mirroring method according to an exemplary embodiment of the present invention. - Referring to
FIG. 2A , themanagement instance software 160 verifies whether the fail occurs in the in-line instance (S210). - The
management instance software 160 verifies whether the fail occurs in all the in-line instances when the fail occurs in the in-line instance (S220). Themanagement instance software 160 processes the corresponding judgment job by other in-line instance or mirroring instance controlling the multiinstance matching unit 140 so as to distribute the judgment job of the effective packet allocated to the in-line instance in which the fail occurs to other in-line instance or mirroring instance when the fail does not occur in all the in-line instance (S260). - The
management instance software 160 switches the F.O.D 200 to the mirroring method through the networkstate controlling unit 130 when the fail occurs in all the in-line instances (S230). Therefore, the F.O.D 200 may continuously perform the judgment job of the effective packet by the mirroring instance while continuously collecting the effective packet mirroring the network traffic to theDLP apparatus 100 and bypassing the network traffic connecting the network traffics of {circle around (┐)} and {circle around (┐)}′ and {circle around (2)} and {circle around (2)}′ by the TAP, as shown inFIG. 2B . - The
management instance software 160 verifies whether the in-line instance is restored while continuously performing the judgment job by the mirroring instance (S240). - The
management instance software 160 switches the F.O.D 200 to the in-line method through the networkstate controlling unit 130 when the in-line instance is restored (S250). Then, the F.O.D 200 is switched to the in-line method again to transfer the network traffics by the in-line method and themulti instance software 150 may normally in-line process the packets. - Meanwhile, the DLP security system including the plurality of in-line instances and at least one mirroring instance is described as an example in
FIGS. 2A and 2B , but the DLP security system may include only the in-line instance or only the mirroring instance. The DLP security system including only the in-line instance allocates the judgment job allocated to the in-line instance in which the fail occurs to the in-line instance which is normally operated when even one in-line instance is normally operated. Further, the DLP security system including only the mirroring instance allocates the judgment job allocated to the mirroring instance in which the fail occurs to the mirroring instance which is normally operated when even one mirroring instance is normally operated. - Hereinafter, a packet processing method of a DLP apparatus according to an exemplary embodiment of the present invention will be described with reference to
FIGS. 3A to 3C . -
FIG. 3A is a diagram showing a duplication mode according to an exemplary embodiment of the present invention,FIG. 3B is a diagram showing a load balancing mode according to an exemplary embodiment of the present invention, andFIG. 3C is a diagram showing a dual mode according to an exemplary embodiment of the present invention.FIGS. 3A and 3B show a DLP apparatus including two in-line instances as an example andFIG. 3C show a DLP apparatus including one in-line instance and one mirroring instance as an example. - In the duplication mode of
FIG. 3A , the multiinstance matching unit 140 transmits the same in-line packet to two in-line instances and each in-line instance receives the in-line packet through a channel occupied by each in-line instance. InFIG. 3A , even though a hindrance such as the fail occurs in one in-line instance, the other in-line instance may perform the judgment job, and interruption and logging functions with respect to the corresponding packet, and as a result, an reallocation of the judgment job need not when the hindrance occurs. In this case, only one in-line instance performs the judgment job, and the interruption and logging functions when one in-line instance is normally operated and the other one in-line instance may perform the judgment job, and the interruption and logging functions when the hindrance occurs in one in-line instance. - In the load balancing mode of
FIG. 3B , the multiinstance matching unit 140 distributes and allocates the judgment job of the effective packet to each in-line instance through load balancing. In this case, the multiinstance matching unit 140 may divide and allocate the judgment job of the effective packet substantially by halves based on the traffic and may distinguish the protocol of the effective packet to distribute and allocate the distinguished protocol to the in-line instance that takes charge of processing each protocol. Even inFIG. 3B , when one in-line instance is not normally operated due to the fail, all the packets which are transmitted to the broken in-line instance are transmitted to the other in-line instance which is normally operated, and as a result, high availability can be assured by the other in-line instance. - As shown in
FIG. 3C , in the dual mode in which the in-line instance and the mirroring instance are mixed, the multiinstance matching unit 140 transmits the effective packet to be processed by in-line method based on the protocol to the in-line instance and transmits the other effective packet to the mirroring instance. InFIG. 3C , when the in-line instance is broken, all the effective packets are mirrored to the mirroring instance which is normally operated to assure high availability by the mirroring instance. - In
FIGS. 3A and 3B , the DLP apparatus includes two in-line instances as an example, but even though the DLP apparatus includes only the mirroring instance without the in-line instance, the DLP apparatus may perform the same function. - As set forth above, according to exemplary embodiments of the present invention, an optimized service can be provided for each protocol by a fail restoring device providing an in-line method, a mirroring method, or an in-line/mirroring dual method according to software set-up, efficiency of network operating/maintenance can be improved, effectiveness of an implementation/maintenance cost can also be improved, and high availability of a network can be assured.
- The implementation cost can be reduced according to ensuring high availability by multi instance software and one DLP-exclusive hardware in one system without providing a plurality of systems or a plurality of packet processing boards like the related art.
- One instance software is driven per channel by driving multi-instances in one system, and as a result, another instance processes corresponding packets even though a fail occurs in one instance to assure availability of the network itself, and high availability and high reliability of a DLP function. Accordingly, the present invention can be more efficient to a recent network environment in which most of the causes of the fail are not hardware factors but software factors such as excessive traffics or the use of excessive resources.
- A number of exemplary embodiments have been described above. Nevertheless, it will be understood that various modifications may be made. For example, suitable results may be achieved if the described techniques are performed in a different order and/or if components in a described system, architecture, device, or circuit are combined in a different manner and/or replaced or supplemented by other components or their equivalents. Accordingly, other implementations are within the scope of the following claims.
Claims (11)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020110140585A KR101275707B1 (en) | 2011-12-22 | 2011-12-22 | Network based data loss prevention appliance system of multi instance structure which assures high availability and provides mirroring, in-line, and mirroring/in-line dual network adjustment method and the operating method thereof |
KR10-2011-0140585 | 2011-12-22 |
Publications (2)
Publication Number | Publication Date |
---|---|
US20130166981A1 true US20130166981A1 (en) | 2013-06-27 |
US8966606B2 US8966606B2 (en) | 2015-02-24 |
Family
ID=48655787
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/362,838 Expired - Fee Related US8966606B2 (en) | 2011-12-22 | 2012-01-31 | Apparatus and security system for data loss prevention, and operating method of data loss prevention apparatus |
Country Status (2)
Country | Link |
---|---|
US (1) | US8966606B2 (en) |
KR (1) | KR101275707B1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160021131A1 (en) * | 2014-07-21 | 2016-01-21 | David Paul Heilig | Identifying stealth packets in network communications through use of packet headers |
CN108958989A (en) * | 2017-06-06 | 2018-12-07 | 北京猎户星空科技有限公司 | A kind of system failure recovery method and device |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101480128B1 (en) * | 2013-12-19 | 2015-01-07 | (주)소만사 | Network based data loss prevention appliance system providing load-balancing and duplexing using mirroring and inline packet processing and method for the same |
CN109040110B (en) * | 2018-08-31 | 2021-10-22 | 新华三信息安全技术有限公司 | Outgoing behavior detection method and device |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5699500A (en) * | 1995-06-01 | 1997-12-16 | Ncr Corporation | Reliable datagram service provider for fast messaging in a clustered environment |
US20030140124A1 (en) * | 2001-03-07 | 2003-07-24 | Alacritech, Inc. | TCP offload device that load balances and fails-over between aggregated ports having different MAC addresses |
US20030145117A1 (en) * | 2002-01-30 | 2003-07-31 | Bhat Gangadhar D. | Intermediate driver having a fail-over function for a virtual network interface card in a system utilizing infiniband architecture |
US20050177762A1 (en) * | 2003-12-19 | 2005-08-11 | Nokia Inc. | Method and system for efficiently failing over interfaces in a network |
US20080205263A1 (en) * | 2007-02-28 | 2008-08-28 | Embarq Holdings Company, Llc | System and method for advanced fail-over for packet label swapping |
US20110219208A1 (en) * | 2010-01-08 | 2011-09-08 | International Business Machines Corporation | Multi-petascale highly efficient parallel supercomputer |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100855205B1 (en) | 2008-06-24 | 2008-09-01 | 주식회사 나우콤 | Apparatus and method for controlling stable network traffic of highly stable availability |
-
2011
- 2011-12-22 KR KR1020110140585A patent/KR101275707B1/en active IP Right Grant
-
2012
- 2012-01-31 US US13/362,838 patent/US8966606B2/en not_active Expired - Fee Related
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5699500A (en) * | 1995-06-01 | 1997-12-16 | Ncr Corporation | Reliable datagram service provider for fast messaging in a clustered environment |
US20030140124A1 (en) * | 2001-03-07 | 2003-07-24 | Alacritech, Inc. | TCP offload device that load balances and fails-over between aggregated ports having different MAC addresses |
US20030145117A1 (en) * | 2002-01-30 | 2003-07-31 | Bhat Gangadhar D. | Intermediate driver having a fail-over function for a virtual network interface card in a system utilizing infiniband architecture |
US20050177762A1 (en) * | 2003-12-19 | 2005-08-11 | Nokia Inc. | Method and system for efficiently failing over interfaces in a network |
US20080205263A1 (en) * | 2007-02-28 | 2008-08-28 | Embarq Holdings Company, Llc | System and method for advanced fail-over for packet label swapping |
US20110219208A1 (en) * | 2010-01-08 | 2011-09-08 | International Business Machines Corporation | Multi-petascale highly efficient parallel supercomputer |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160021131A1 (en) * | 2014-07-21 | 2016-01-21 | David Paul Heilig | Identifying stealth packets in network communications through use of packet headers |
US10659478B2 (en) * | 2014-07-21 | 2020-05-19 | David Paul Heilig | Identifying stealth packets in network communications through use of packet headers |
CN108958989A (en) * | 2017-06-06 | 2018-12-07 | 北京猎户星空科技有限公司 | A kind of system failure recovery method and device |
Also Published As
Publication number | Publication date |
---|---|
US8966606B2 (en) | 2015-02-24 |
KR101275707B1 (en) | 2013-07-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6106718B2 (en) | Physical unidirectional communication apparatus and method | |
US8842536B2 (en) | Ingress rate limiting | |
US20080239961A1 (en) | Packet routing based on application source | |
EP1164766A2 (en) | Switch connection control apparatus for channels | |
US8966606B2 (en) | Apparatus and security system for data loss prevention, and operating method of data loss prevention apparatus | |
EP3417576B1 (en) | Enhance communication of network traffic | |
CA2887428C (en) | A computer implemented system and method for secure path selection using network rating | |
US9306959B2 (en) | Dual bypass module and methods thereof | |
TW200910275A (en) | Method for dynamically reassigning virtual lane buffer allocation to maximize IO performance | |
CN105357090A (en) | Load balancing method and device for externally-connected bus service system | |
CN103973560A (en) | Device and method for fault treatment of stack links in IRF (intelligent resilient framework) system | |
CN108924058A (en) | Service traffics transmission method and device | |
CN114363242A (en) | Dynamic multi-path optimization method, system and equipment based on cloud network fusion technology | |
US20100250757A1 (en) | Redirection of a request for information | |
US8849112B2 (en) | Apparatus, system, and method for asymmetrical and dynamic routing | |
WO2017000096A1 (en) | Link recovery method and network device | |
US10652310B2 (en) | Secure remote computer network | |
JP2003152806A (en) | Switch connection control system for communication path | |
WO2020165320A1 (en) | Handover of a latency critical application | |
KR101695958B1 (en) | Apparatus and method for securing commuication for electric power demand response system | |
KR101480128B1 (en) | Network based data loss prevention appliance system providing load-balancing and duplexing using mirroring and inline packet processing and method for the same | |
CN105337888A (en) | Multinuclear forwarding-based load balancing method and device, and virtual switch | |
JP6338186B2 (en) | Virtual network system | |
US20120134265A1 (en) | Traffic control system for step-by-step performing traffic control policies, and traffic control method for the same | |
JP5669647B2 (en) | Priority control method and communication system using multiple communication ports |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: SOMANSA CO., LTD., KOREA, REPUBLIC OF Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LEE, SANG SEOK;KIM, TAE WAN;CHOI, IL HOON;REEL/FRAME:027673/0619 Effective date: 20120130 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2551); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY Year of fee payment: 4 |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY |
|
LAPS | Lapse for failure to pay maintenance fees |
Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY |
|
STCH | Information on status: patent discontinuation |
Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 |
|
FP | Lapsed due to failure to pay maintenance fee |
Effective date: 20230224 |